Solved: Inline field extraction with rex

lukejadamec · ‎10-11-2013

I'm not a big regex power yet, I know this is easy, but since it is not on a system I can't test and figure out myself I'm looking for expert assistance.
Can someone provide a search rex that will pull both the interface and up-down fields from this log?

Oct  9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct  9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
Oct  9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct  9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up

Looking for a rex that pulls two fields:

search | rex field=_raw ?(?<interface>?)?(?<up-down>?)? | stats count by interface,up-down

Thanks,

Luke

yannK · ‎10-12-2013

Here

mysearch | rex "Interface (?<interface>[^, ]*), changed state to (?<state>\w+)" | table interface state

View solution in original post

yannK · ‎10-12-2013

Here

mysearch | rex "Interface (?<interface>[^, ]*), changed state to (?<state>\w+)" | table interface state

yannK · ‎10-14-2013

here is a good place to start
http://www.regular-expressions.info/quickstart.html

lukejadamec · ‎10-12-2013

Thanks. I totally need to learn regex.

yannK · ‎10-11-2013

please show that you are looking for precisely.

Inline field extraction with rex

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?